Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

SuSE alert: More information on the OpenSSH vulnerability

ISS and the OpenSSH team just released advisories concerning the
OpenSSH vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----

ISS and the OpenSSH team just released advisories concerning the
OpenSSH vulnerability. These advisories state that the vulnerability
exists only if the package has been compiled with support for S/Key
or BSDAUTH authentication. Inspecting the patches included in the
OpenSSH advisory however show that there is a second vulnerability that
can be exploited when interactive keyboard mode is enabled (via the
PAMAuthenticationViaKbdInt option in sshd_config).

Neither S/Key or BSDAUTH were enabled in previous RPMs released by
SuSE (i.e. the OpenSSH 2.9.9p2 RPMs previously released on March 6,
and the OpenSSH 3.0.2p1 RPMs released with SuSE Linux 8.0). Support for
interactive keyboard mode is compiled in, and is off by default in recent
RPMs. However, it can be enabled by the administrator.

Which means that, in the default configuration, SuSE Linux users are
not affected by this vulnerability.